12 million iPhone and iPad device IDs allegedly stolen from the FBI by hackers, FBI denies it all

Hackers calling themselves AntiSec (aka LulzSec, Anonymous, etc.) have published online one million iPhone[2] and iPad[3] unique device identifiers (UDIDs). They claim to have another eleven million stashed away and say they stole the information from the FBI.

According to their online declaration[4], the hackers stole a file named “NCFTA_iOS_devices_intel.csv” from FBI Supervisor Special Agent Christopher K. Stangl’s computer. They claim to have remotely access Special Agent Stangl’s machine in March 2012 by exploiting AtomicReferenceArray, a Java[5] vulnerability that was discovered last year and patched by Oracle[6] in February 2012.

AntiSec claim “NCFTA_iOS_devices_intel.csv” contains a list of 12,367,232 UDIDs, with some UDIDs having accompanying information such as full names, addresses, and cell phone numbers. AntiSec says they removed all information aside from UDIDs for the one million they have published online so far, so as to protect the privacy of the device owners.

The FBI, for its part, has come out and denied the allegations, first on Twitter…

Statement soon on reports that one of our laptops with personal info was hacked. We never had info in question. Bottom Line: TOTALLY FALSE.

…then through an official public statement:

The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.

However, there are independent confirmations that at least some of the UDIDs AntiSec leaked online are real. Rob Lemos (a journalist) and Peter Kruse (“eCrime specialist”) both say their device UDIDs appear in the list. So, then, the question is where exactly did the UDIDs come from?

It could be that the FBI is indeed collecting this information (why, we don’t know) and they are too embarrassed to admit they were hacked, hence the public denial. On the other hand, AntiSec could have attained this information from some other source (where, we don’t know) and just want to throw some egg on the FBI’s face by falsifying the truth. Sadly we likely won’t ever know the truth unless one side confesses.

Ignoring the truth for a second, let’s ponder on the two possible scenarios.

Scenario one: AntiSec is telling the truth and the FBI is collecting information on iDevice owners. This raises the questions of why is FBI collecting the information and where/how is it getting it from? Is Apple[7] involved or helping? Does Apple even know? How the hell did some hackers remotely access a federal workstation through a Java vulnerability that was supposed to patched a month prior?

Scenario two: AntiSec is lying. This raises the question of how and where AntiSec got this information? Did they exploit some iOS or App Store vulnerability? Does Apple know about it?